A new ransomware group that targets legitimate compute processes within a victim’s systems, seems to have prior knowledge of their infrastructures, and likely using Remote Desktop Protocol (RDP) for initial access, launched three attacks within less than two weeks earlier this month, according to threat intelligence researchers with cybersecurity firm Huntress.

The group also claims to be part of BlackByte, a ransomware-as-a-service (RaaS) gang that has been around since 2021 and is known for evolving its tactics. That said, the Huntress researchers wrote in a report that they haven’t been able to verify the claim.

Two attacks by the group – dubbed “Crux” by the researchers – were detected on July 4, and a third one was seen July 13.

“For the first two observed incidents, we were unable to determine the initial access vector due to various factors,” they wrote. “However, for the third incident, we found that the initial access vector was the use of valid credentials via RDP.”

A Popular Initial Access Avenue

RDP and similar remote connectivity technologies for years have been a favorite pathway into corporate networks used by ransomware and other threat groups that have stolen credentials. Researchers with cyber resilience platform maker Halcyon noted that chat logs from the notorious Black Basta group found its members used almost 3,000 unique credentials to infiltrate networks, targeting remote desktop software and VPNs from Microsoft, Palo Alto Networks, Cisco, and others.

According to Check Point researchers, RDP continues to be a ransomware infection vector, writing that “with RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control.”

Huntress researchers wrote they were only able to confirm that use of RDP in the third attack, but said the first incidents showed indications that the bad actors had prior knowledge of the targets’ infrastructures.

The Process Tree

In all the detected cases, the names of the ransomware executable were different, with identifiers that seem to be unique to each targeted organization. The command line for launching the ransomware will contain the identifier and either the -s or -a argument, they wrote.

“Before encrypting files, the ransomware executable launches the legitimate svchost.exe, albeit with a distinctive command line, perhaps through process injection: either -a or -s and the unique identifier provided when the ransomware executable was launched,” the researchers wrote.

The svchost.exe is a Windows process that runs multiple services. However, hackers also can use it to disguise their commands, according to Huntress.

“From this process, a command prompt is launched to run the LOLBin bcdedit.exe, which modifies the boot configurations and disables system recovery,” they wrote. “This stops any system restoration attempts by the victim, making ransomware attacks more difficult to recover from.”

Some Activities in the Attacks Differ

In the first incident, the ransomware was detected on seven endpoints linked to one organization, though the activity across the endpoints varied. On some, the bad actor disabled the recovery through bcdedit.exe, which triggered canary reports – canary files are purposely placed on systems to help detection and thwart ransomware attacks – while more activity was detected on others, including remote registry dumps, the installation of drivers, and the use of Rclone, a command-line program for managing files in the cloud.

The other July 4 incident also involved bcdedit.exe and, again, tripped canary files. For this attack, the bad actors created user accounts and executed commands that indicated lateral movement through the network before disabling Windows recovery tools and deploying ransomware.

On July 13, the Crux ransomware was launched within seven minutes of the initial test login that apparently used valid credentials to verify access. Within 90 seconds of the login, the ransomware was deployed. The threat actors used a support user account and accessed the endpoint through the administrator account, the researchers wrote.

Secure RDP, Use EDR

“A closer look at the detected activity shows the threat actor logging in via the support account and then running through the process lineage involving svchost.exe and bcdedit.exe before creating the ransom notes,” they wrote.

Given that in at least one of the incidents the Crux crew used RDP for initial access, organizations need to secure exposed RDP instances, the Huntress team wrote. In addition, the ransomware gang also prefers legitimate processes like bcdedit.exe and svchost.exe, so security teams need to monitor for such suspicious behavior with endpoint detection and response (EDR) tools.